opening deposit accounts online: rules, risks & …...opening deposit accounts online: rules,...

Opening Deposit Accounts Online: Rules, Risks & Best Practices

P R E S E N T E D B Y : S U S A N C O S T O N I S , C . R . C . M .

C O M P L I A N C E T R A I N I N G & C O N S U L T I N G F O R F I N A N C I A L I N S T I T U T I O N S

s u s a n c o s t o n i s @ m s n . c o m

M a r c h 2 0 1 7

mailto:[email protected]

Disclaimer2

This presentation is designed to provide accurate and authoritative information in regard to thesubject matter covered. The handouts, visuals, and verbal information provided are current as ofthe webinar date. However, due to an evolving regulatory environment, Financial Education &Development, Inc. does not guarantee that this is the most-current information on this subjectafter that time.

Webinar content is provided with the understanding that the publisher is not rendering legal,accounting, or other professional services. Before relying on the material in any important matter,users should carefully evaluate its accuracy, currency, completeness, and relevance for theirpurposes, and should obtain any appropriate professional advice. The content does not necessarilyreflect the views of the publisher or indicate a commitment to a particular course of action. Linksto other websites are inserted for convenience and do not constitute endorsement of material atthose sites, or any associated organization, product, or service.

Sponsors3

Alabama Bankers Association Arkansas Community Bankers California Community Banking Network Independent Bankers of Colorado Florida Bankers Association Community Bankers Association of Georgia Community Banker Association of Illinois Indiana Bankers Association Community Bankers of Iowa Community Bankers Association of Kansas Kentucky Bankers Association Maine Bankers Association Community Bankers of Michigan Independent Community Bankers of Minnesota Missouri Independent Bankers Association Montana Independent Bankers Association Nebraska Independent Community Bankers Independent Comm. Bankers Assoc. of New Mexico Independent Bankers Assoc. of New York State

Independent Community Banks of North Dakota Community Bankers Association of Ohio Community Bankers Association of Oklahoma Pennsylvania Association of Comm. Bankers Independent Banks of South Carolina Independent Comm. Bankers of South Dakota Tennessee Bankers Association Independent Bankers Association of Texas Vermont Bankers Association Virginia Association of Community Banks Community Bankers of Washington Community Bankers of West Virginia Wisconsin Bankers Association

Directed by The Community Bankers Webinar Network

Presented by Susan Costonis, CRCM4

Susan Costonis is a compliance consultant and trainer who beganher career in 1978. She specializes in compliance managementalong with deposit and lending regulatory training. Susan hassuccessfully managed compliance programs and exams forinstitutions that ranged from a community bank to large multi-statebank holding companies. She has been a compliance officer forinstitutions supervised by the OCC, FDIC, and Federal Reserve.Susan has been a Certified Regulatory Compliance Manager since1998, completed the ABA Graduate Compliance School, andgraduated from the University of Akron and the Graduate BankingSchool of the University of Colorado. She regularly presents tofinancial institution audiences in several states and “translates”complex regulations into simple concepts by using humor and reallife examples.

Seminar Objectives5

Electronic banking continues to evolve, and financial institutions must work hard to keep pace with technology, regulatory requirements, and cybersecurity challenges. Recent surveys indicate that 51% of adults in the U.S. bank online and 32% bank with mobile phones. What steps must be followed to be in compliance with E-SIGN?

What You Will Learn

Which deposit regulations are related to E-SIGN and have specific provisions?

E-SIGN risks – CIP for BSA, required disclosures, regulatory oversight (UDAAP – Unfair Deceptive or Abusive Acts), advertising, privacy, technology, policies and procedures, social media, and complaints

Six-step consumer consent process

Basic steps for E-SIGN implementation

Take-away toolkit Current exam procedures and resources for online banking

E-SIGN checklist and answers to common questions

Social media policy template

6

Overview of E-Banking Deposit Compliance

See web address chart for CFPB and banking regulators See the TOOLKIT for e-banking compliance issues

and top ten mistakes in compliance exams, including:1. Truth in Savings

2. Electronic Funds Transfer (Regulation E)3. Regulation CC

4. Financial Information Privacy

7

FFIEC Guidance on Electronic Financial Services8

See the TOOLKIT, important sections include: Introduction and definitions of a “electronic financial service” Compliance regulatory environment Deposit services (Regulation E, Truth in Savings (Regulation DD), Expedited Funds

Availability (Regulation CC), Regulation D) Miscellaneous – required statement of FDIC membership for deposit insurance Compliance policy guidance

Advertisements Disclosures must be “clear and conspicuous,” see notes about “pointers” and “hotlinks;”

see reference to timing requirements for disclosures Record retention

Role of consumer compliance in developing and implementing electronic services

Risk Factors9

1. BSA (Bank Secrecy Act) and CIP (Customer Identification Program)

2. Disclosures (Reg DD, E, CC, Privacy) – accuracy, completeness, and delivery

3. Regulatory Oversight(UDAAP – Unfair Deceptive Abusive Acts and Practices)

4. Advertising5. Privacy – information sharing

practices

6. Technology – changes in sending and receiving electronic disclosures and information

7. Cybersecurity – security breaches, identity theft, and elder abuse

8. Policies and procedures9. Social media – restrictions on

employees use of social media in the workplace

10. Complaints from all sources including those on social media

Traditional Account Opening Online Account Opening

1. Normal risk-based procedures to learn the “true identity” of the person opening the account. Maintain CIP records that include name as it appears on the primary identification, date of birth of an individual, address (residential or business street address, or APO or FPO, identification number of a U.S. person or acceptable numbers for non-U.S. persons.

1. Maintain CIP records as listed in Traditional Account Opening. Enhanced due diligence (EDD) procedures to know the “true identity” of the person opening the account may also apply. This EDD typically requires additional verification like “out-of-wallet” questions that ONLY the actual person can answer. See details.

10BSA and CIP Basics


A customer profile should be created by asking questions at account opening. Account activity questions should be asked to determine if the customer is in a high-risk category such as the number and amount of expected deposits, wires, checks, and ACH activity. Non-documentary procedures can be used.

This EDD may require additional safeguards like checking the validity of the address, SSN and other identifying information. Typically an email address is requested to begin the “consent” process to send electronic disclosures. See options for paper disclosures and signatures. Customer profile required. See options.



2. Display PATRIOT Act notice at the account opening location.

3. Additional CIP procedures include identifying circumstance when an account will not be opened; terms for allowing the account to be opened and used will verification is completed; when an account will be closed, circumstances for filing a Suspicious Activity Report.

2. Providing the PATRIOT Act notice on the website with the deposit account application.

3. Additional CIP; if customer is in a “high-risk” category additional due diligence will be required. Online CIP can be different but must be in writing and approved by the board.



4. OFAC verification procedures must be followed.

5. Identity theft red flags must be followed including checking for alerts, suspicious documents, suspicious personal information, unusual or suspicious activity, notification by customer or law enforcement.

4. OFAC verification procedures must be followed.

5. Identity theft red flags must be followed including checking for alerts, suspicious documents, suspicious personal information, unusual or suspicious activity, notification by customer or law enforcement. Items in bold are high risk for online banking.


Regulation DD Basics14

Regulation DD permits electronic disclosures that comply with the requirements of the E-SIGN Act and waives the E-SIGN Act’s consent provisions for two requirements (account disclosures and advertising).

If a consumer who is not present at the institution uses electronic means (for example, an internet website) to open an account or request a service, the disclosures required under [§ 1030.4(a)(1)] must be provided before an account is opened or a service is provided.

Online advertisements are also subject to the advertisement requirements under the TISA; therefore, banks must ensure that deposit advertisements, including online advertisements, are compliant.

Product Life Cycle Overview

Require management and staff from various functions – to vet, review, and recommend new products and services for senior management or board approval;

Cover the investigative stages of new products and services as well as the approval and deployment stages;

Require that operating policies and procedures are updated to provide clear guidance to staff on how to comply with all legal or regulatory requirements;

Address and mitigate risks throughout the product life cycle, including pricing, marketing, distribution, accounting, and ongoing service and maintenance; and

Require a post-decision review to determine whether the new product or service met the expectations and assumptions used to support the decision.

15

Seven Stages of the Product Life Cycle Diagram16

Deposit Advertising Basics17

General guidelines and best practices – see details on the words “free,” “no cost,” or “low cost”

Service fee warnings

Free for a limited time

Annual Percentage Yield (APY)

Bonus rules

Trigger terms – APY, minimum balance, more disclosures

See “signs and mobile devices” section; no exceptions to advertising rules!

Seven Stages of the Product Life Cycle Chart18

STAGE DEFINITION CONSIDERATIONS1. Strategic

ConsiderationsIncorporates the strategic analysis behind an established, new, or modified product: this includes analyzing the strategic fit for the institution and its customers, as well as any components tied to product development (controls, compensation, platforms, etc.) and the overall benefit of the product to the institution and to consumers

Strategic goals and areas of expertise

Involvement of the board of directors, management, etc.

Regulations or guidance Emerging issues related to the

product Processes (procedures and

operating systems, training staff, monitoring activities, and setting controls)

Use and role of third parties


STAGE DEFINITION CONSIDERATIONS2. Product Design Addresses the process of developing

the actual product and specific considerations such as profitability and fee structure

Target market

Relationship to other products

Applicability of laws and regulations

Types of fees assessed

Delivery systems (note about issues with ADA accessibility of websites)


STAGE DEFINITION CONSIDERATIONS

3. Marketing Outlines the manner in which the product is targeted and marketed

Advertising

Cross-selling to customers

Targeting solicitations


STAGE DEFINITION CONSIDERATIONS4. Product

DeliveryIncorporates the components of the initial interface, including the selling and/or application process

Steering risk Applications Disclosures Fees and terms Role of

compensation and incentives


STAGE DEFINITION CONSIDERATIONS5. Origination or

ConsummationDescribes the process by which a customer qualifies for and obtains the product or service

Disclosures Incentives and

compensation structures

Pricing and underwriting discretion


STAGE DEFINITION CONSIDERATIONS6. Product Use

and DurationIncorporates any and all aspects of a product after the origination or consummation stage; includes servicing, maintenance, dispute and resolution, changes in terms, default or misuse, additional fees, or other costs

Periodic statements and disclosures

Servicing practices and third-party servicers

Communications Repayment options Mobile banking

platforms Delivery systems Complaints


STAGE DEFINITION CONSIDERATIONS7. Termination Addresses the process of the

consumer voluntarily discontinuing use of the product, or the institution’s process of discontinuing the product, or any other process in which the relationship between the consumer and the product ends

Communications

Procedures and practices

Loss mitigation, collection, and foreclosure

Stage One – Strategic Considerations

Details on this content are in the TOOLKIT

25

The financial institution’s risk appetite Its areas of expertise and its ability to deliver the new product or service Consumers’ perceived need for the product Current federal and state consumer protection laws, regulations,

and guidance Financial institution resources Anticipated future regulatory requirements Legal challenges related to the product or service, including lawsuits,

consumer complaints, or public enforcement actions

Stage One – Strategic Considerations26

Resources and expertise What knowledge is needed to effectively deliver the product or service?

Does the financial institution currently possess, or can it cost effectively acquire, the required expertise and staffing level — not only in the business line but also in the compliance and audit areas?

Can the financial institution’s computer systems handle the increased usage resulting from any new products or services?

Does the financial institution currently possess, or can it cost effectively acquire, operational capacity to deliver the product or service (e.g., automated processing, centralized operations, use of third-party service providers)?

What are the consequences of noncompliance or failure to deliver product as promised?

Third Parties

Fairness Complexity

Does the product or service provide a win-win situation for the customer and the institution earns a profit?

Are the features or terms difficult for the customer to understand?

Can communications about the product’s terms and features be made clearly, conspicuously, accurately, and timely?

Does the product have unintended consequences that could harm customers?

Offering large numbers of similar accounts that have many different features, terms, or conditions makes it challenging for the consumer to compare them.

Making product changes during the life cycle that will require additional disclosures.

Including features that can be explained only with disclosures that use dense, legal language and that span many pages.

27Stage Two – Product Design

Stage Three – Marketing28

Is the product accurately portrayed and disclosed in all marketing materials (this would include not just advertising but scripts, training materials, and similar items)?

Can a consumer readily understand and reap the benefits of the product?

Has staff been appropriately trained to sell the product?

Did the compliance staff participate in, or at least review, the marketing strategies and materials for compliance with applicable laws and regulations?

LOOK AT TARGET AUDIENCE ISSUES!

Advertisements – Stage Three Marketing 29

PRODUCT/SERVICE LAW/REGULATIONAll consumer financial products and services

UDAP/UDAAP (target audience issues for vulnerable populations)

Deposit FDIC insurance membership regulationsTruth in Savings Act/Regulation DDRegulation CC

Overdrafts Electronic Fund Transfer Act/Regulation ETruth in Savings Act/Regulation DD

Privacy GLBA Privacy Notice

Details on this content is in the TOOLKIT; See Deposit Advertising Basics

Stage Four – Product Delivery30

Has the institution identified and addressed the risks associated with the applicable delivery channels?

How will the institution comply with the laws and regulations that govern the sales and application processes?

Are there compensation or other incentives that may drive risky behavior by employees?

If third parties are used, is the oversight sufficient and effective? Will consumers receive all the necessary information to make

an informed decision about the product during their initial interaction with the financial institution?

Stage Five – Origination or Consummation31

Has the financial institution considered the risks for each origination channel? For example, risks associated with retail originations will differ from wholesale originations.

Has the financial institution considered the potential for fair lending and UDAP risk during product origination and consummation?

Has the institution implemented appropriate controls to mitigate any perceived risk?

Are the disclosures, product materials, and contractual agreements consistent with one another and clear?

SEE WARNING!

Stage Six – Product and Duration32

Regulatory Requirements and Guidance Annual privacy notices Periodic statements

Subsequent disclosures Changes in terms Account renewal/maturity Interest rate adjustment

and/or payment change

New Servicing Practices Prompt crediting of

payments Timely provision of payoff

statements Error resolution and

information requests Default monitoring and

servicing of delinquent accounts

Debt collection

Stage Six – Product and Duration33

Complaints

Regularly reviewing and evaluating customer complaints can provide insights into how well customers understand the institution’s products and services. Complaints can come from a variety of sources, including customer service calls, written complaints to the financial institution or its primary regulator, customer reviews, or social media. Because complaints can serve as an early indicator of potential concerns, managing a product or service successfully will include a process to monitor and analyze complaints. While it is important to address the specific concerns of any particular customer, determining whether an issue is systemic and whether other customers may be affected is also important.

Financial Institution Initiated Termination

Product Maturity and Voluntary Account Closures

Does the financial institution provide advance notice to customers to allow them sufficient time to migrate to another product or service?

Has the institution trained staff to answer questions from affected customers?

Closing only certain accounts? Would the closure criteria disproportionately affect customers on a prohibited basis?

Does the institution respond accordingly to voluntary account closures?

Does the financial institution comply with applicable regulatory and contractual agreements?

34Stage Seven – Termination

Lessons from the Product Life Cycle Process36

Innovation, market conditions, and consumer demand will always lead to new products and services – change is inevitable! The financial institutions that are the most successful in introducing new products and services consider consumer compliance risk throughout the product life cycle. This framework considers various institutional, legal, regulatory, and environmental factors that may be present at each life cycle stage of the product or service. This comprehensive approach for managing compliance risk helps to ensure that financial institutions can obtain the benefits of the new products and services and avoid the unintended consequencesthat can derail an institutions product strategy.

ASK PERMISSSION, NOT FORGIVENESS – DISCUSS NEW INITIATIVES WITH YOUR PRIMARY REGULATOR!

Consumer Consent Overview37

To facilitate and encourage electronic commerce, Congress enacted the Electronic Signatures in Global and National Commerce Act (E-SIGN Act) on June 30, 2000.

The E-SIGN Act states that the validity or enforceability of a contract, electronic record, or signature for a transaction affecting interstate commerce cannot be challenged solely because it is in electronic form or because an electronic signature or record was used in the formation of the contract.

When businesses are legally required to make information available to a consumer in writing, the information can be delivered electronically as long as there is prior compliance with the E-SIGN Act's customer consent requirements.

Six-Step Consumer Consent Process38

Step 1 – Availability of Paper Delivery or Paper Copies

Step 2 – Consent Choices

Step 3 – Consumer Actions

Step 4 – Hardware/Software Requirements

Step 5 – Affirmatively Consent

Step 6 – "After Consent" Disclosure

E-SIGN Requirements39

Indicate whether customers have a right or option to receive information on paper.

Identify whether the consent relates to a particular transaction (e.g., account opening disclosures) or to ongoing disclosures over the course of the relationship (e.g., monthly statements and change-in-terms notices).

Explain that the consumer has the right to withdraw consent and provide the procedures to withdraw consent as well as the consequences of withdrawing consent, such as fees, termination of the relationship, loss of preferred pricing, or having to switch account types.

E-SIGN Requirements40

Describe the procedures for updating the consumer’s contact information.

Outline the hardware and software requirements for accessing and retaining records.

Explain how to obtain paper disclosures after consent has been given and describe any associated fees.

Consumers must also consent electronically, or electronically confirm consent, in a manner that reasonably demonstrates their ability to receive or access the information electronically. Having consumers retrieve a code contained within in a document sent to them is one way to demonstrate accessing of information.

Risks and Implementation Steps41

1. Information about the customer. These are “tell us more about you” questions and will be similar to questions asked during the in-person new account interview.

2. Verification of the customer’s TRUE identity and completion of CIP requirements for: Name Date of birth Address Identification number E-mail address for E-SIGN compliance and due diligence

Risks and Implementation Steps42

3. Completing the account agreement and signing required documents (deposit agreement, signature card, W-9, etc.). These documents can be “wet signed” by sending paper documents or can be provided electronically and signed electronically.

4. Completing verification process and funding the account. The opening deposit can be made by mailing a check or by electronic funding with appropriate authorization, account number and routing/transit number information.

Ten Regulatory Requirements and Issues43

Regulations or Requirements Issues1. BSA (Bank Secrecy Act) and CIP

(Customer Identification Program)Verify the true identity of the deposit customer and create a RISK profile based on the increased risks of online account opening.

2. Disclosures – accuracy, completeness, and delivery

Deliver accurate account disclosures. Confirm that all E-SIGN consent steps have been completed. There are SIX steps for consent.


Regulations or Requirements Issues

3. Regulatory Oversight (UDAAP –Unfair Deceptive Abusive Acts and Practices)

Confirm that all advertising and account information was provided and that the consumer was advised of all fees and that an informed decision was made in the consumer’s best interest.

4. Advertising Review requirements for advertising, especially Truth in Savings, for triggering terms and required model language.


Regulations or Requirements Issues5. Privacy – information sharing

practices Provide actual practices and opt-out options.

6. Technology – changes in sending and receiving electronic disclosures and information

Monitor software and hardware requirements. Implement audit and internal control procedures.

7. Cybersecurity – identity theft and elder abuse

Exercise due diligence for “out-of-wallet” questions to detect fraud and identity theft. Be alert to the potential for abuse of older customers and elder abuse; provide resources for identity theft reporting and resources for seniors.


Regulations or Requirements Issues8. Policies and procedures Have all policies and procedures been

updated to reflect the risks of online account opening, revised CIP and CDD procedures for BSA compliance, updates to required risk assessments (BSA, Identity Theft Red Flags, OFAC, audit, deposit compliance)?


Regulations or Requirements Issues9. Social media – restrictions on

employees use of social media in the workplace

A social media policy is required so employees understand that “personal” is “public” and there are restrictions against “advertising” services that an employee can offer or how complaints may be handled.


Regulations or Requirements Issues10. Complaints It is a best practice and regulatory

expectation to have a complaint policy and procedures. Complaints can be sent to social media and must be reviewed.

Check YOUR regulators resources and exam procedures for expectations about handling complaints

UDAAP Lessons and Complaints49

UDAAP Is Everywhere

Say What You Mean, and Mean What You Say

Vendor Management – Pay Attention to Third-Party Providers

Four Principles of UDAAP Concepts1. Value

2. Understanding

3. Predictability

4. Appropriateness

Mobile Financial Services Update50

Mobile financial services technologies

Risk identification

Risk measurement

Risk mitigation

Monitoring and reporting

Risk Management of E-Banking Activities51

Speed of technological change,

Changing customer expectations,

Increased visibility of publicly accessible networks (e.g., the internet),

Less face-to-face interaction with financial institution customers,

Need to integrate e-banking with the institution's legacy computer systems,

Dependence on third parties for necessary technical expertise, and

Proliferation of threats and vulnerabilities in publicly accessible networks.

10 Considerations When Selecting an E-Signature Vendor52

1. Are e-signed documents legally protected?2. Are e-signatures secure?3. Are e-signed documents safe in the cloud?4. Is it easy to use?5. Does the e-signature solution support different signature capture methods?6. Is the e-signature solution customizable?7. Is the e-signature solution mobile-friendly?8. How flexible is the e-signature solution?9. Does the e-signature vendor understand the unique requirements of a

financial institution?10. Does the e-signature vendor have a favorable reputation in the industry?

Managing Vendor Risk 53

GLBA Requirements

Apply appropriate due diligence when choosing service providers,

Require service providers via contract to implement proper data security processes, and

Monitor service providers through activities such as reviewing audits and test results as directed by the financial institution’s risk assessment. Additionally, for high-risk vendors (such as outsourced core processors and internet-banking providers), the financial institution should monitor and validate controls through periodic self-assessments or other means.

E-SIGN Resources54

Interagency Social Media Guidance; risk areas include Compliance and Legal Risks (various regulations are outlined); payment systems, BSA: Privacy; CAN-SPAM and Telephone Consumer Protection Act (TCPA); Children’s Online Privacy Protection Act (COPPA); reputation risk; operational risk; conclusion.

Interagency Weblinking Guidance; virtually every website contains weblinks. A weblink is a word, phrase, or image on a webpage that contains coding that will transport the viewer to a different part of the website or a completely different website by just clicking the mouse. While weblinks are a convenient and accepted tool in website design, their use can present certain risks. Generally, the primary risk posed by weblinking is that viewers can become confused about whose website they are viewing and who is responsible for the information, products, and services available through that website. See Risk Management Techniques.

ADA Issues and Website Accessibility55

Since the beginning of 2015, more than 244 federal lawsuits have been filed throughout the country against companies of all sizes, including banks and credit unions. Demand letters have seen sent the people with disabilities were denied online access in violation of the ADA (Americans with Disabilities Act).

There are three ways that ADA compliance may be important:

1. In court

2. With customers

3. Among peers or competitors

Toolkit Resources56

Examination Checklist for E-SIGN57

Procedures for affirmative consent and proof that consent has not been withdrawn Consumer rights Consent withdrawal and updates; paper copy can be requested Fees for withdrawal or paper copies Hardware and software requirements prior to consent Consumer consents electronically in manner that demonstrates information can be

accessed (oral communication is NOT a valid E-sign record) Changes in hardware or software are communicated Disclosure of consumer’s right to withdraw consent without fees unless the fees

were previously disclosed Electronic records accurately reflect information from contracts, notices,

disclosures and remain accessible according to legal requirements

Social Media: Risk Management Guidance58

• Compliance and Legal Risks• Truth in Savings Act/Regulation DD • Unfair, Deceptive, or Abusive Acts or

Practices• Deposit Insurance or Share Insurance• Electronic Fund Transfer

Act/Regulation E and Check rules• Bank Secrecy Act/Anti-Money

Laundering Programs (BSA/AML)

• Privacy• CAN-SPAM Act and Telephone

Consumer Protection Act• Children’s Online Privacy

Protection Act• Reputation risk – fraud, third-party

risk, privacy, complaints• Employee Use of Social Media Sites• Operational risk

Social Media Policy Template59

1. Acceptable use of social media by the institution

2. Acceptable use of the institution’s data network for personal and commercial social media use

3. Social media policy monitoring including

• Employees breaching social media policies

• Inappropriate use of the institution’s name

• Negative posts

Social Media Policy Template60

4. Social media policy violation 5. Social media policy and acceptable use training including:

• Need for professionalism • Compliance with laws and regulations • How best to represent the institution and protect its reputation• Appropriate communication with customers, employees, competitors, and the

public through social media networks • Limitations for disclosure of proprietary and confidential information about the

institution and customers • Limitations of personal use of blogs, website, and social networking sites • When to transition a communication to private, one-to-one channels

(e.g., direct email, telephone, etc.)• Avoidance of controversial topics

Questions?61

Thank You for Attending!Susan Costonis, [email protected]

mailto:[email protected]

opening deposit accounts online: rules, risks & …...opening deposit accounts online: rules,...

Documents